Securing Photovoltaic Systems as Critical Infrastructure: A Multi-Layered Assessment of Risk, Safety, and Cybersecurity

Abstract

This article presents a comprehensive analysis of photovoltaic (PV) systems, focusing on their development and emerging security challenges over the past decade in Europe and Romania. It begins by presenting regional deployment trends and the increasing significance of PV systems in national energy strategies. In the Romanian context, a risk-based evaluation is conducted to assess the technical vulnerabilities and strategic relevance of PV installations, emphasizing the necessity to formally integrate them into the category of critical infrastructure. The study explores current safety practices, cybersecurity measures, and physical protections, identifying gaps that may affect operational continuity and infrastructure reliability. Given the growing exposure of PV systems to digital threats, the need for robust and adaptive cybersecurity strategies is also highlighted. In line with the principles of a sustainable circular economy, this work underlines the importance of embedding risk management and technical reliability across the entire lifecycle of PV systems. The authors propose recommendations aiming to enhance the resilience, security, and sustainable evolution of PV systems as vital components of a modern, decarbonized energy infrastructure.

1. Introduction

Energy plays a vital role in economic development, institutional functioning, and national security [1]. Dependence on energy imports exposes countries to risks from price fluctuations, sanctions, and geopolitical conflicts [2]. As a result, diversifying energy sources—particularly through renewables—has become a strategic priority [3]. While the transition to green energy supports decarbonization goals, it must be carefully balanced with the need to maintain a stable and secure energy supply [4].

The purpose of this study is to highlight three elements of strategic value. This study focuses on three key strategic elements. First, it emphasizes the need to recognize solar PV systems as critical energy infrastructure, based on their strategic role in supporting energy diversification, environmental sustainability, and economic development [5]. PV systems not only reduce greenhouse gas emissions but also improve the stability of electricity distribution and offer interconnectivity with other critical infrastructures [6]. Their classification as critical infrastructure would enhance access to European funding, promote technological innovation, and improve workforce development through the creation of green jobs.

The second scope of the study involves a comprehensive evaluation of the safety, security, and physical protection of solar PV infrastructure in Romania. This is achieved by conducting a detailed SWOT analysis that identifies the strengths, weaknesses, opportunities, threats, risks, vulnerabilities, and hazards of PV systems. The study presents the natural, technical, and human sources of risk, examines their likely consequences, and determine the probability and size for each given instance. Based on this analysis, the level of risk is calculated, followed by the proposal and implementation of mitigation measures. The effectiveness of these measures is then evaluated by recalculating the severity and risk levels to validate system resilience improvement.

Third, the research conducts a focused cybersecurity risk analysis of PV systems. With their increasing connectivity and reliance on digital infrastructure, PV installations are exposed to cyber threats that could compromise both energy supply and grid stability. The study includes a gap analysis aligned with international cybersecurity standards such as ISO/IEC 27001:2022 [7], the NIST Cybersecurity Framework (CSF)/2024, the EU NIS2 Directive, and Romania’s OUG 155/2024 [8]. Key vulnerabilities in SCADA devices, inverters, and communication protocols are analyzed, and recommendations are provided for improving cybersecurity resilience as part of sustainable infrastructure management.

Recent studies have demonstrated the expanding role of solar PV energy technologies in promoting sustainability beyond power generation. For instance, solar-powered systems have been effectively applied to sustainable wastewater treatment [9] and eco-friendly desalination using impedance spectroscopy [10], highlighting their broader contribution to sustainable resource management.

The PV systems discussed in this article are typically categorized by installed capacity (measured in kW/MW), application type, characteristics cost, efficiency, and Return on Investment (ROI) as shown in

Table 1. PV system categories, cost, efficiency, and Return on Investment (ROI) [11,12].

Category	Power Range	Application	Characteristics	Cost per Watt ($)	Efficiency (%)	ROI (Years)
Residential	<10 kW	Installed on rooftops of homes.	- Used for self-consumption and grid-tied systems - May include battery storage for backup	2.50 ÷ 3.50	15 ÷ 22%	5 ÷ 10
Commercial	<250 kW	Found on business buildings, schools, and shopping centers.	- Used to offset electricity costs - Often connected to local grids with net metering	1.50 ÷ 2.50	16 ÷ 22%	4 ÷ 8
Industrial	<1000 kW (1 MW)	Used in factories, manufacturing plants, and data centers.	- Supports high energy demands and may include on-site battery storage - May be grid-connected or hybrid	1.20 ÷ 2.00	17 ÷ 23%	3 ÷ 7
Utility-Scale	>1000 kW (1 MW+)	Large-scale, ground-mounted solar PV fields.	- Generates electricity for utility grids - Includes centralized inverters and tracking systems for maximum efficiency - Requires high-voltage grid connections	0.90 ÷ 1.50	18 ÷ 24%	2 ÷ 6

[11,12].

Critical infrastructure is essential for maintaining the principal functions of a society, safeguarding public health, and ensuring economic stability by protecting vital services, financial systems, and supply chains [13]. It also enhances resilience during crises, such as natural disasters, pandemics, or cyberattacks. Romania’s energy infrastructure, as part of both national and European critical infrastructure, faces multiple vulnerabilities—including cyber threats, natural hazards, geopolitical risks, and physical attacks—making its protection a strategic priority in the current threat landscape [14,15]. Given the critical role of energy infrastructure, Romanian authorities and operators must adopt comprehensive protection strategies, including risk assessments, physical and cybersecurity measures, and staff training [16]. Ensuring resilience also involves institutional cooperation with national bodies (SRI, DSU, ANRE) and international partners (EU, NATO), as well as implementing continuity plans to restore essential services after disruptions [17].

Solar PV systems are becoming one of the fastest-growing renewable sources, driven by falling costs—over 80% in the past 10–15 years—and rapid technological advancements such as perovskite cells, bifacial panels, and building-integrated PV systems [18]. Energy storage solutions and smart grid integration are essential for ensuring reliability, while waste management emerges as a growing challenge [19]. Countries like China, the USA, and European pioneers (Germany, Spain, Italy) are leaders in installed capacity and supportive policies [20].

2. A Decade of PV Installations in Europe and Romania

The EU countries have added solar PV systems annually in recent years significantly, driven largely by rising electricity prices. The lifting of trade barriers on Chinese PV modules in 2018 was also significant to boosting growth. With electricity prices now stabilizing and growth slowing in 2024, policymakers may need to implement novel strategies to further installations to meet energy targets.

The annual solar PV installed capacity in the EU-27 has seen a significant increase over the years. Installations accelerated notably after 2018, following the end of EU trade barriers on Chinese PV modules.

The major growth phases were 2020–2022 with a rapid increase in installations (+41% in 2020, +45% in 2021, and +53% in 2022) and 2023–2024. The growth has slowed down since 2023, but remained positive (+4% increase from 2023 to 2024 and 65.5 GW installed in 2024, compared to 62.8 GW in 2023) as shown in Figure 1 [21].

Regarding the impact of electricity prices, there was an unexpected electricity price surge between June 2021 and May 2023, (+131% for non-household consumers and +79% for household consumers). The high prices likely stimulated investment in solar energy. From June 2023 to June 2024, electricity prices stabilized with a -22% decrease for non-household consumers and a 9% decrease for household consumers; therefore, this stabilization may have slowed the growth in solar PV systems.

At the end of 2021, approximately 44% of the total energy production in Romania was represented by renewable energy sources, of which 2.307% was contributed by PV solar energy [21]. The REPowerEU Target underlined that the EU needs an average annual installation of 69 GW (2025–2030). The 2024 figure of 65.5 GW suggests progress but also highlights the challenge of maintaining consistent growth. The growth rate in 2024 is much lower compared to 2021–2023, and there is a 92% decrease in growth compared to the 2021–2023 period, suggesting that the market momentum is slowing [22]. Europe needs to install approximately 70 GW per year to achieve its 2030 targets. SolarPower Europe’s forecast for 2025 to 2028 is for growth to stabilize between 3% to 7% for the next couple of years. Growth rates will decelerate to 3% in 2026, with 72.3 GW of new solar capacity, as developers respond to grid constraints and market uncertainty. The Medium Scenario of SolarPower Europe estimates an improvement of 6% to 76.5 GW in 2027, and 7% to 81.5 GW in 2028 [23].

In Romania, during 2016–2021, the installed capacity remained relatively stable, with minimal growth. In 2022, there was a slight increase in capacity, reaching approximately 1413 MW. In 2023, there was significant growth, with capacity nearly doubling to around 2900 MW. In 2024, the expansion continued with the total installed capacity reaching approximately 4600 MW (Figure 2) [24].

The data reflect steady growth until 2022, followed by a rapid increase in 2023 and 2024, with 1.7 GW added in 2024, bringing the total capacity to 4.6 GW. As of early 2025, Romania accounts for approximately 0.23% of the total global installed solar PV capacity, and around 1.48% of the total installed PV capacity within the European Union. These estimates are based on Romania’s cumulative installed solar capacity in comparison to the global total of roughly 2200 GW and the EU total of about 338 GW [22]. Romania’s geographical position, policy support, and increased investments are factors contributing to this growth. Romania’s geographical position offers considerable solar potential, with an annual solar energy flow between 1000 and 1300 kWh/m²/year (Figure 3) [25,26].

The practical solar PV potential, namely PV power output (PVOUT) (Figure 3), represents the amount of power generated per unit of the installed PV capacity over the long-term. It is typically measured in kilowatt-hours (kWh) per kilowatt-peak (kWp) of system capacity, providing a standardized metric for assessing the performance and efficiency of PV installations [26].

Supportive policies such as contracts-for-difference (CfD) auctions and funding programs have boosted investment in Romania’s solar sector, attracting both local and international stakeholders [28]. This process enables most PV projects to reach grid connection within 1.5 to 2 years. While progress is notable, further improvements could include stricter timelines, penalties for delays, and greater transparency to enhance accountability. According to GlobalData [25], the highest PV power potential is found in regions where a unique combination of factors—such as persistent clear sky conditions, clean air, low ambient temperatures, and high altitude—results in a thinner atmosphere compared to lower elevation areas, thus enhancing solar energy conversion efficiency. Unlike theoretical potential, the technical potential reflects the realistic conversion of available solar energy into electricity by accounting factors such air temperature, terrain horizon, albedo, module tilt and configuration, shading, soiling, and other elements that influence system performance. The values of solar resources and PV power potential in Romania are presented in Figure 4.

PVOUT measures (as seen in Figure 4): P0_MIN = Level 0: Minimum value; P1_MIN = Level 1: Percentile 0.5 value; P1_P25 = Level 1: Percentile 25 value; P1_MED = Level 1: Percentile 50 (median) value; P1_MEAN = Level 1: Mean value; P1_P75 = Level 1: Percentile 75 value; P1_MAX = Level 1: Percentile 99.5 value; P0_MAX = Level 0: Maximum value [26].

In Romania, the PVOUT is 3,7 and seasonality index is 3.07 (2.09–4.10). The long-term energy content of the solar resource available at a certain location defines the theoretical solar PV potential. For PV technology, the energy content is well quantified by the physical variable of GHI. It is the sum of the direct and diffuse irradiation components received by a horizontal surface, measured in kWh/m². GHI enables a comparison of the conditions for PV technology without considering a specific power plant design and mode of operation. The global horizontal irradiation GHI is the first approximation of the PV power production in a particular region, but it disregards important additional factors. The theoretical solar resources (GHI, if integrated solar energy is assumed), as seen in Figure 4, are as follows: T_MIN = Minimum value; T_MEAN = Mean value; T_MAX = Maximum value [26].

Romania is foreseen to achieve an unprecedented rise in the PV sector in the near future, boosted by financing programs such as “Casa Verde” [28] (and RePowerEU [22]), the liberalization of energy prices (that will come into effect on end of June 2025), and the general increased interest of Romanians in getting rid of the worries of bills and becoming energy-independent.

As of 21 March 2025, the total installed power capacity in Romania is reported to be 19,118.32 MW, according to ANRE. The cumulative electricity production capacity of the country is illustrated in Figure 5 and

Table 2. Installed power in Romania [29].

Type of Energy	MW	%
Hydro	6687.78	34.9810
Wind	3095.31	16.1903
Coal	2762.2	14.4479
Hydrocarbons	2713.78	14.1946
Solar	2307.35	12.0688
Nuclear	1413	7.3908
Biomass	106.27	0.5559
Biogas	22.46	0.1175
Waste	6.03	0.0315
Residual Heat	4.1	0.0214
Geothermal	0.05	0.0003

. Among the various energy sources, solar PV systems account for 2307.35 MW, contributing, so far, approximately 12% of the total installed capacity in Romania [29].

As of early 2025, Romania has approximately 204,000 prosumers with a combined installed capacity of 2.44 GW [29]. Presented by county, in Figure 6 are the total installed capacity of Romania’s PV fields (MW) and their number (indicated by black dots).

Projects for PV fields to be installed (in the near future in Romania) are presented in

Table 3. PV fields to be installed in Romania [30].

County	Location (Commune) in Romania	Capacity [MW]
Dolj	Piscu Sadovei	1500.00
Dolj	near Calafat	1050.00
Arad	Pilu și Grăniceri	1044.00
(Grasshopper Romania Solar PV Field)		1000.00
Teleorman	Băbăita	710.00

[30].

While the solar PV sector is rapidly advancing, the underdeveloped state of energy storage infrastructure limits grid efficiency and compromises overall system stability. The new benchmark solution on the domestic market is the lithium–iron–phosphate (LiFePO4) battery, characterized as a safer and more effective technology than lithium-ion batteries, which reduces the risk of fires [31]. After the Romanian government published new technical regulations for energy storage on 18 January 2025, the newest energy storage and conversion solutions must be implemented into the Romanian market, including Livoltek inverters [32]. Also, ENPHASE microinverters and batteries [32], produced in the USA and developed with the help of Romanian inventor Nelu Mihai from Silicon Valley, revolutionize the solar energy conversion and use process. The microinverters allow direct AC production, eliminating the risk of conversion and increasing efficiency [33,34].

3. Assessing the Security and Safety of PV Systems as Critical Energy Infrastructure in Romania

3.1. SWOT Analysis

The SWOT analysis is conducted according to ISO 31000:2018 [35] Risk Management.

3.1.1. Strengths

(a)

Sustainability and low environmental impact

• Produce clean energy, without CO₂ emissions;
• Do not generate noise pollution or hazardous waste;
• Have a minimal impact on biodiversity, especially if they are harmoniously integrated into the landscape.

(b)

Energy efficiency and independence:

• Reduce dependence on fossil fuels and their price fluctuations;
• Can contribute to the energy independence of a country or region;
• Are scalable, and can be expanded according to needs.

(c)

Low long-term costs:

• After the initial investment, operating and maintenance costs are relatively low;
• PV panels have a lifespan of 25–30 years, offering long-term returns;
• Government subsidies and support schemes can make the investment even more profitable.

(d)

Easy installation and maintenance:

• Installing a PV system is faster compared to other types of power plants;
• Requires little maintenance, as the panels have no moving parts that wear out quickly.

(e)

Flexibility and diversification of land use:

• Can be installed on unproductive or unused land;
• Coexist with other activities, such as agriculture (agrivoltaics);
• Can be integrated into smart-grid networks to optimize consumption.

3.1.2. Weaknesses

(a)

Dependence on weather conditions. The efficiency of the panels decreases on cloudy or rainy days, and the energy production is zero at night.

(b)

The need for large land areas. To produce a significant amount of energy, PV fields require large areas of land, which can lead to deforestation or the reduction in agricultural land.

(c)

Relatively low efficiency. The conversion of solar energy into electricity is not 100% efficient, with most panels having efficiencies of 15–22%.

(d)

High initial costs. Although the prices of solar panels have decreased in recent years, the initial investment for a PV park remains significant.

(e)

Environmental impact. Although solar energy is considered clean, the production and disposal of PV panels can generate toxic waste and CO₂ emissions.

(f)

Dependence on batteries for storage. To ensure continuous energy, storage systems (batteries) are needed, which are expensive and have their own environmental impact.

(g)

Issues related to grid integration. Production fluctuations can create difficulties in the stability of the electricity grid and require solutions to balance supply and demand.

(h)

Limited lifespan. PV panels have a lifespan of approximately 25–30 years, after which their efficiency decreases, requiring replacement and recycling.

(i)

Possible maintenance issues. Although they are relatively easy to maintain, the panels must be cleaned periodically and monitored for defects or loss of efficiency.

(j)

Impact on biodiversity. In certain cases, the construction of PV fields can affect local flora and fauna, especially in protected natural areas.

3.1.3. Opportunities

(a)

Economic opportunities

• Energy cost reduction—Own solar energy production can lead to lower costs for consumers and businesses;
• Profitable investments—The financial returns of PV fields are attractive due to the decrease in the prices of solar panels and their increase in efficiency;
• Job creation—The installation and maintenance of solar panels generates jobs in the renewable energy sector;
• Subsidies and financing—Governments and international organizations offer various financial support schemes for the development of renewable energy.

(b)

Environmental opportunities

• CO₂ emission reduction—Solar energy is clean and contributes to reducing dependence on fossil fuels;
• Long-term sustainability—The sun is an inexhaustible resource, and its use does not negatively affect the environment;
• Reuse of degraded land—PV fields can be located on unproductive or abandoned land, giving it a new utility.

(c)

Technological Opportunities

• Innovations in energy storage—Modern batteries allow the storage of solar energy for use at night or on cloudy days;
• Integration into smart grids—PV fields can be connected to smart grids, optimizing energy distribution;
• Increased automation and efficiency—New technologies, such as artificial intelligence and cleaning robots, improve the performance and maintenance of solar fields.

(d)

Security Opportunities

Critical energy infrastructure—There is a possibility that PV fields can become critical energy infrastructure, with a role in ensuring energy and national security.

3.1.4. Threats, Risks, Vulnerabilities, and Hazards

• Threats
  • Natural factors—Storms, hail, wildfires, earthquakes, or floods can damage solar panels and park infrastructure;
  • Vandalism and theft—Solar panels, inverters, and cables are attractive to thieves, and vandalism can affect energy production;
  • Cyberattacks—Control and monitoring systems can be targets for cyberattacks, affecting the operation of the park;
  • Regulations and policies—Changes in legislation, new taxes or land restrictions can threaten the economic viability of the project.
• Risks
  • Decreased efficiency—Dust, dirt, or the degradation of panels over time can reduce energy production;
  • Technical problems—Failures in inverters, connections, or energy storage system can affect the continuity of production;
  • Dependence on weather conditions—The performance of a PV park depends directly on the intensity of sunlight, with a risk of lower production on cloudy days;
  • Impact on the environment and biodiversity—Deforestation for the installation of the park or changes to the ecosystem can affect local fauna and flora;
  • Unforeseen costs—Increased maintenance costs, repairs, or price changes to equipment can affect profitability.
• Vulnerabilities
  • Physical security—A poorly protected park is vulnerable to vandalism and theft;
  • Dependence on supply chains—Problems with suppliers of panels, inverters, or batteries can delay projects and increase costs;
  • Lack of infrastructure—Connecting the park to the electricity grid can be difficult if the local infrastructure is not ready for such integration;
  • Long payback period—The amortization of the initial costs can take years, and fluctuations in the price of electricity can affect profitability.
• Hazards
  • Environmental impact
    • Deforestation and habitat loss—PV fields are sometimes built on agricultural land or forests, affecting biodiversity;
    • Impact on wildlife—Animals may be disturbed by changes in habitat or by the reflection of solar panels;
    • Impact on soil and water—Changes to the land for the installation of panels can lead to erosion or changes in water runoff.
  • Economic and social issues
    • Agricultural land use—If installed on fertile land, they can reduce the agricultural area available for food production;
    • Visual impact—PV fields can alter the landscape and may be considered unsightly by local communities;
    • Noise and nuisance—Although the panels themselves do not produce noise, auxiliary equipment such as inverters and cooling systems can generate some level of noise pollution.
  • Recycling and waste management issues
    • Difficulty in recycling panels—Solar panel components (glass, silicon, heavy metals) are difficult to recycle, which may lead to environmental problems in the future;
    • Use of rare materials—Panels contain metals such as cadmium or tellurium, the extraction of which may have a negative impact on the environment.
  • Technical, safety, and security aspects
    • Fire risk—Solar panels and electrical equipment can present hazards in case of overload or technical defects;
    • Material degradation—Solar panels have a limited lifespan (around 25–30 years), and managing the resulting waste can be problematic;
    • Electromagnetism—Some studies suggest that the equipment used in PV fields could generate electromagnetic fields, but the effects on health are still debated;
    • Blackout risk—Some inverters can be remotely controlled by certain manufacturing companies, which makes the risk of disconnection of PV fields very likely and with a very serious gravity and impact on energy and national security.

3.1.5. Security, Safety, and Protection Measures

• Physical protection and security
  • Fencing and access control—Installation of security fences and controlled access gates to prevent intrusion;
  • Video surveillance systems—Use of surveillance cameras with motion detection and 24/7 monitoring;
  • Detection sensors—Implementation of sensors to detect movement, vibration, or opening of panels;
  • Security patrols—Presence of security personnel or drones for regular inspections;
  • Anti-theft and anti-vandalism systems—GPS tracking devices for panels, alarms, and invisible markings for components.
• Electrical safety and equipment protection:
  • Grounding system—Prevention of electric shock and protection of equipment against atmospheric discharges;
  • Lightning protection—Installation of lightning rods and surge arresters;
  • Circuit breakers and overload protection—Installing safety equipment to prevent short circuits and fires;
  • Adequate ventilation and cooling—Preventing equipment from overheating through efficient cooling systems;
  • Periodic maintenance and inspection—Checking connections, wiring, and panels to prevent failures.
• Protection against natural factors and disasters
  • Wind and weather protection—Installation resistant to strong gusts, hail, and floods;
  • Fire prevention—Using fire-retardant materials and a rapid-fire response plan;
  • Weather monitoring—Alert systems for extreme conditions that can affect production and park safety.

3.2. Blackout Risk Assessment

The assessment methodology follows the ISO 31000:2018 [35] Risk Management standard, using a scale from 1 to 5, where 1 indicates very low risk and 5 represents very high risk.

The mathematical model used for risk analysis is based on a quantitative risk matrix structured on five levels. This model involves defining and assigning values to two key dimensions: probability (P) and impact (I), each rated on a scale from 1 to 5. These levels are interpreted as follows:

1—Very low.

2—Low.

3—Medium.

4—High.

5—Very high.

The Frequency of Risk (FR), also referred to as the Frequency Rating, is calculated using the probability (P) and impact (I) values as follows:

$$FR=P\times I$$

(1)

where:

$P={\left[\begin{array}{ccccc}5& 4& 3& 2& 1\end{array}\right]}^T$ represents the probability levels (from very high to very low);

$I=\left[\begin{array}{ccccc}1& 2& 3& 4& 5\end{array}\right]$ represents the impact levels (from very low to very high).

By multiplying each element of P with each element of I, the resulting 5 × 5 quantitative risk matrix is

$$FR=\left[\begin{array}{ccccc}5& 10& 15& 20& 25\\ 4& 8& 12& 16& 20\\ 3& 6& 9& 12& 15\\ 2& 4& 6& 8& 10\\ 1& 2& 3& 4& 5\end{array}\right]$$

This matrix provides a structured framework for evaluating the severity of risks based on the combination of their likelihood and impact.

Risk Classification Based on FR Values

Risks are classified into five categories according to their FR values:

1–3: Very low risk.

4–6: Low risk.

7–12: Medium risk.

13–16: High risk.

17–25: Very high risk.

This classification supports clear prioritization and appropriate mitigation planning for each identified risk level. For example, in the event of a risk with a medium likelihood (3) and a high impact (4), the FR is calculated as 3 × 4 = 12. According to the classification matrix, a value of 12 corresponds to a medium-level risk.

Residual risk calculation

Residual risk (RR) represents the level of risk that remains after all preventive, detective, and corrective control measures have been implemented. Assessing residual risk is essential for determining whether the remaining exposure is acceptable or if additional actions are necessary.

Each control factor is characterized by an efficiency (E) ranging between 0 and 1, where 1 indicates maximum effectiveness in reducing the risk. The residual risk is calculated using the following formula:

$$RR=FR\times \left(1-E\right)$$

(2)

where:

RR is the residual risk;

FR is the initial Frequency of Risk;

E is the efficiency of the applied controls.

Consider a scenario with a medium likelihood (3) and a high impact (4), resulting in

$$FR=3\times 4=12$$

Assuming a control factor with 70% efficiency (E = 0.7), the residual risk is

$$RR=12\times \left(1-0.7\right)=3.6$$

This calculation indicates that the applied controls significantly reduce the initial risk level, bringing it closer to a low-risk category.

The assessment of the combined risk

For multiple risks, the combined risk (CR) is evaluated using an aggregation method, such as weighting the individual risks:

$$RC=\sum _i\left(F{R}_i\times W_i\right)$$

(3)

where

(FR_i) is the risk factor for the risk i;

(W_i) is the weight assigned to risk i.

To build upon the previous relationships, it is essential to identify the relevant risk factor. The selection of risk factors should be context-specific, taking into account areas such as environmental, financial, operational, or technological risks, among others.

Figure 7 provides the propagation scheme of instability and insecurity elements within a system. It begins with dysfunctions, deficiencies, and non-compliances, which contribute to the emergence of vulnerabilities. These vulnerabilities give rise to risks, which in turn generate threats. Threats escalate into hazards, ultimately leading to aggressions—the final and most severe form of systemic impact.

Figure 7 illustrates the sequential phases involved in assessing and managing risks within the SEN.

The process begins with the identification and analysis of systemic elements such as dysfunctions, deficiencies, and non-compliances. These elements lead to the emergence of vulnerabilities, which are then identified and evaluated. Based on these vulnerabilities, specific risks are assessed, followed by the identification and analysis of threats that arise from those risks. The next phase involves assessing the hazards generated by the identified threats, which in turn may lead to aggressions, representing the most severe consequences within the system. Following this progression, the overall security state of the SEN is evaluated. Finally, based on the insights gathered throughout these stages, security strategies are developed to enhance the system’s resilience and ensure its protection against future disruptions.

The diagram in Figure 8 is organized into eight sequential phases, each representing a stage in the process of understanding and managing systemic instability and insecurity. It follows a logical top-down flow—from the root causes (e.g., dysfunctions) to the formulation of security strategies.

Phase 1: Identification and Analysis of Systemic Elements

This phase identifies fundamental issues—dysfunctions, deficiencies, and non-compliances—which are the initial sources of vulnerabilities in the system. These elements interact and propagate, creating instability.

Phase 2: Identification and Assessment of Vulnerabilities

The systemic issues from Phase 1 lead to vulnerabilities, which must be identified and evaluated to understand their impact on the system’s integrity.

Phase 3–6: Risk Propagation Chain. These phases represent a cascade effect:

Phase 3—Risks: Arise from vulnerabilities;

Phase 4—Threats: Emerge from risks;

Phase 5—Hazards: Are the result of threats;

Phase 6—Aggressions: Represent the actual incidents or disruptions caused by hazards.

Each step is associated with identification and assessment, ensuring that the evolution of risk is continuously monitored and understood.

Phase 7: Security Status Assessment

At this point, the accumulated knowledge about vulnerabilities, risks, threats, hazards, and aggressions is used to evaluate the overall security status of the system. This is a critical decision point for determining if the system is secure or requires intervention.

Phase 8: Development of Security Strategies

Based on the assessed security status, security strategies are developed. These aim to mitigate or eliminate the identified vulnerabilities and prevent the future propagation of threats and hazards.

Both Figure 7 and Figure 8 provide valuable visual representations of the full risk management process, containing risk identification, quantification, mitigation, and reassessment.

3.2.1. Parts of the PV Systems

The electrical systems and equipment that are part of a solar PV system (critical energy infrastructure) are listed and described below:

• PV panels
  • Monocrystalline: Mono-Si;
  • Polycrystalline: Poly-Si;
  • Thin-film: Thin-Film;
  • Bifacial: Captures light on both sides;
  • Passivated Emitter Rear Cell (PERC) technology.
• Inverters
  • Centralized: Used in large PV systems and connect several strings of solar panels to a single large inverter;
  • String: Each string of panels has its own inverter and is used in large commercial and residential installations;
  • Microinverters: Each panel has its own inverter and is used in residential systems and small PV systems;
  • Hybrid: Can operate both with the electrical grid and with energy storage batteries and is used in solar PV systems that include energy storage solutions.
• Electricity meters
  • Production measurement: Measures the electrical energy generated by PV panels;
  • Auxiliary consumption measurement: Records the consumption of auxiliary equipment in the park (inverters, cooling systems, lighting, surveillance, etc.);
  • Bidirectional: Monitors both the energy delivered to the grid and the energy consumed from the grid, being essential for self-consumption and grid injection systems;
  • Smart meters: Allows real-time monitoring in integration with SCADA systems to optimize energy management.
• Electrical transformers
  • Role:
    • Voltage boosting: PV panels generate direct current (DC), converted into alternating current (AC) by inverters; this current usually has a voltage of 400 V ÷ 690 V, which must be raised to an appropriate level for efficient transport through the grid (e.g., 20 kV or 110 kV);
    • Loss reduction: Increasing the voltage reduces losses on the power line and allows the efficient transport of electricity over long distances;
    • Grid connection: Ensures compatibility between the PV park and the electricity distribution or transport network.
  • Types:
    • Boosters: Raise the voltage from the level generated by the inverters (400 V–690 V) to 20 kV or 110 kV, to allow injection into the grid.
    • Distribution: Used to power auxiliary equipment in the park (monitoring systems, lighting, air conditioning, etc.).
    • Isolation: Protects the system against faults and avoids the occurrence of ground fault currents.
• Power substations:
  • Medium voltage: 20 kV;
  • High voltage: 110 kV or 220 kV/400 kV.
• Electrical energy storage systems:
  • Types:
    • Electrochemical batteries: Li-ion, lithium–iron–phosphate, lead–acid, redox flow, etc.;
    • Supercapacitors;
    • Hydrogen;
    • Pumped storage;
    • Compressed air, etc.
  • Benefits:
    • Grid balancing: Reduces fluctuations caused by variations in solar intensity;
    • Consumption maximization: Allows the use of the energy produced even when the panels are not generating electricity;
    • Reduction in balancing costs: Minimizes the need to import electricity from other sources during peak hours;
    • Energy security: Ensures constant power supply in microgrids or isolated areas.
• Electrical lines for discharging electrical energy into the distribution or transmission network
  • Underground or overhead medium-voltage power lines;
  • Underground or overhead high-voltage power lines.
• SCADA system:
  • By system architecture:
    • Centralized: All data are collected and processed in a single control center and provides complete visibility over the entire PV park;
    • Distributed: Control is divided between several local nodes that communicate with each other, ensures redundancy and great flexibility, can operate independently in the event of a failure of the central system, and is suitable for large PV systems with multiple conversion stations.
  • By type of communication and technology:
    • Based on industrial protocol (Modbus, DNP3, IEC 61850): Uses communication protocols for industrial equipment and is compatible with most equipment used in solar energy (inverters, energy meters, weather sensors);
    • Cloud-based (IoT—Enabled SCADA: Data are transmitted and processed in a cloud environment, allowing remote access, advanced data analysis, and integration with AI and machine learning.
  • By automation level:
    • Passive (monitoring, no control): Only collects data (generated power, temperature, solar radiation level), decisions are made by human operators and is used in smaller PV systems or in the initial phase of implementation;
    • Active (monitoring and automated control): Can adjust system parameters in real time (optimizing the operation of inverters, changing the angle of solar panels), includes advanced functions such as energy efficiency management and protection against faults
  • By scope:
    • For Energy Management Systems (EMSs): Monitors and optimizes electricity production, integrates with battery systems for energy storage and helps balance the load on the grid;
    • For diagnostics and predictive maintenance: Uses artificial intelligence algorithms to identify possible defects in equipment and can detect efficiency losses of PV panels caused by dirt or defects;
    • For integration with the electrical grid: Ensures compliance with the requirements of grid operators and regulates voltage and frequency to avoid imbalances in the system.

3.2.2. Causes and Effects in Blackout Risk Scenario

• Causes

  (a)

  Natural risk factors

  • Storms and extreme weather events: Strong winds, torrential rains, heavy snow, hail, and lightning, which can damage electrical systems and equipment in PV systems (PV panels, electrical inverters, electrical meters, electrical transformers, energy storage systems, electrical power evacuation lines);
  • Earthquakes or landslides: These events can damage electrical and mechanical infrastructure;
  • Extreme temperatures: Excessive heat or cold can overload the electrical grid or damage PV panels.

  (b)

  Technical risk factors:

  • Defects or poor quality of PV panels;
  • Damage to step-up transformers or overhead or underground cables: Age or wear of equipment;
  • Overload in the PV park: Excessive electricity consumption in the power station;
  • Short circuits in the electrical power lines or in the electrical power distribution panels;
  • Efficiency, life span, and quality of energy equipment;
  • Lack of electrical energy storage systems;
  • Lack or precariousness of SCADA systems;
  • Lack of or poor cybersecurity programs.

  (c)

  Human risk factors:

  • Lack or precariousness of maintenance or repair work;
  • Human errors in the operation or management of the PV park or electrical networks;
  • Acts of vandalism, theft, or sabotage;
  • Lack of investment;
  • Wrong configuration: PV panels, inverters, transformers, electricity evacuation lines;
  • Wrong maneuvers performed by operational or dispatching personnel;
  • Lack of specialized and/or trained operational personnel;
  • Lack of communication or poor communication with DET—Territorial Energy Dispatcher, or DEN—National Energy Dispatcher;
  • Lack of working procedures during a crisis;
  • Lack/non-compliance/ignorance of national/European procedures in case of serious damage (blackout);
  • Lack of training in the field of risk management;
  • Lack of physical security of PV systems;
  • Lack of electricity in the distribution or transport networks: possible local, zonal, regional, or national blackout of the SEN (National Power System);
  • Enormous material damage generated by the lack of electricity to critical consumers, households, and industries;
  • Enormous material damage resulting from the interdependence of other systems on electricity;
  • State of energy, economic, and national insecurity.

• Effects
  • Lack of electricity in the distribution or transmission networks: possible local, zonal, regional, or national blackout of the SEN;
  • Enormous material damage resulting from the lack of electricity to critical consumers, households, and industries;
  • Enormous material damage resulting from the interdependence of other systems on electricity;
  • State of energy, economic, and national insecurity.

3.2.3. The Probability Scale

With the aim to establish the probability of occurrence, the probability scale was adopted, according to

Table 4. The probability scale [36].

Level/ Associated Score		Definition of Probability	Periods
	1. Very low	There is a very low probability of occurrence. Normal measures are required to monitor the evolution of the event.	over 13 years
	2. Low	The event has a low probability of occurrence. Efforts are being made to reduce the probability and/or mitigate the impact.	10 ÷ 12 years
X	3. Medium	The event has a significant probability of occurrence. Significant efforts are required to reduce the probability and/or mitigate the impact.	7 ÷ 9 years
	4. High	The event has a probability of occurrence. Priority efforts are required to reduce the probability and mitigate the impact produced.	4 ÷ 6 years
	5. Very high	The event is considered imminent. Immediate and extreme measures are required to protect the objective, with evacuation to a safe location if the impact requires it.	1 ÷ 3 years

.

3.2.4. The Severity of the Consequences

The severity of the consequences is given by the most unfavorable level of risks and their impact. The risk analysis was conducted according to

Table 5. Impact.

Risk Scenario: Blackout Risks	Level
1. Natural hazards Storms and extreme weather events: strong winds, torrential rain, heavy snow, hail, and lightning, which can damage electrical systems and equipment in PV systems (PV panels, electrical inverters, electrical meters, electrical transformers, energy storage systems, electrical power evacuation lines); Earthquakes or landslides which can damage electrical and mechanical infrastructure; Extreme temperatures, excessive heat or cold, which can overload the electrical grid or damage PV panels.	Very low
	Low
	Medium
	High
	Very high
2. Technical risks Defects or poor quality of PV panels; Damage to step-up transformers or overhead or underground cables: Age or wear of equipment; Overload in the PV park: Excessive electricity consumption in the power station; Short circuits on electrical power lines or on electrical power distribution panels; Low efficiency, lifespan, and quality of energy equipment; Lack of electrical energy storage systems; Lack or precariousness of SCADA systems; Lack of or poor cybersecurity programs.	Very low
	Low
	Medium
	High
	Very high
3. Human risk factors: Lack or precariousness of maintenance or repair works; Human errors in the operation or management of the PV park or the electrical networks; Acts of vandalism, theft, or sabotage; Lack of investments; Wrong configuration: PV panels, inverters, transformers, electrical energy evacuation lines; Wrong maneuvers performed by the operational or dispatching staff; Lack of specialized and/or trained operational staff; Lack of communication or poor communication with DET or DEN; Lack of working procedures during a crisis; Lack/non-compliance/ignorance of national/European procedures in case of serious damage (blackout); Lack of training in the field of Risk Management; Lack of physical security of the PV systems.	Very low
	Low
	Medium
	High
	Very high

.

• Impact Analysis

The impact analysis is an analysis that identifies the impact of the loss of a PV system facility (critical infrastructure) of national importance. The highest level of severity levels related to the impacts will be chosen, according to

Table 6. Impact analysis and its level and severity.

Impacts	Level	Severity
Enormous damage caused by lack of electricity: lack of electricity in case of loss of this facility generated by photovoltaic fields	1. Very low	Temporary
	2. Low	Significant damage
	3. Medium	Average damage
	4. High	High damage
	5. Very high	Very heavy damage
Enormous damage generated by the interdependence of other systems: it represents the volume of capital invested to carry out the photovoltaic field—critical infrastructure with other national public systems, such as: health, transport, industry, economy, etc.	1. Very low	0–10% of VIC
	2. Low	11–20% of VIC
	3. Medium	21–30% of VIC
	4. High	31–40% of VIC
	5. Very high	Over 41% of VIC
Potential environmental damage: it represents environmental damage or losses resulting from the loss of this facility generated by photovoltaic fields, caused by fires, storms, flood, snow, etc.	1. Very low	0–20%
	2. Low	21–40%
	3. Medium	41–60%
	4. High	61–80%
	5. Very high	Over 81%
High social impacts: it represents the loss of confidence of the population over photovoltaic fields as critical infrastructure	1. Very low	0–10% of PC
	2. Low	11–20% of PC
	3. Medium	21–30% of PC
	4. High	31–40% of PC
	5. Very high	Over 41% of PC

VIC—Volume of Invested Capital; PC—Public Confidence.

.

Levels of severity based on the consequences are presented in

Table 7. Levels of severity of consequences [37].

Level/Score		The Severity of the Consequences
	1. Very low	The event causes a minor disruption to the activity, without material damage.
	2. Low	The event causes minor property damage and limited disruption to business.
	3. Medium	Injuries to personnel, and/or some loss of equipment, utilities, and delays in service provision.
	4. High	Serious injuries to personnel, significant loss of equipment, facilities, and delays and/or interruption of service provision.
X	5. Very high	The consequences are catastrophic, resulting in fatalities and serious injuries to personnel, a major loss of equipment, facilities, and services, and interruption of service provision.

.

B.

Assessing risk severity

Table 8. Risk matrix.

PR O B A B I L I T Y	Very high 5
	High 4
	Medium 3					Risk scenario
	Low 2
	Very low 1
	0	Very low 1	Low 2	Medium 3	High 4	Very high 5
Severity/Consequences

Note: Risk is given by the product of the probability of occurrence of a hazard/threat and the severity of its consequences.

illustrates the risk matrix and

Table 9. Calculated risk level.

The calculated risk has the value 15 (probability 5 × severity 3). Therefore, there is a high risk of the event occurring.	Calculated Risk Level
	Level	Score
	Very low	1–3
	Low	4–6
	Medium	7–12
	High	13–16
	Very high	17–25

the calculated risk level.

The calculated risk level is presented in Table 9.

3.2.5. Risk Management

To reduce risks, measures are required to decrease, stop, or eliminate them, as seen in

Table 10. Risk management.

Types of Risk	Proposed Measures
Natural risk factors Storms and extreme weather events: strong winds, torrential rains, heavy snow, hail, and lightning, which can damage electrical systems and equipment in PV fields (PV panels, electrical inverters, electrical meters, electrical transformers, energy storage systems, electrical power evacuation lines); Earthquakes or landslides which can damage electrical and mechanical infrastructure; Extreme temperatures, excessive heat or cold, which can overload the electrical grid or damage PV panels.	Major investments in PV fields (critical energy infrastructure) due to seismic risk; Predictability of natural disasters (links with state institutions in the field of emergency situations); Training and advanced training courses for operational, maintenance and security personnel in the field of emergency situations; Analysis of events in the natural calamities section; Simulations of interventions (very short time) in case of fires; Provision of individual fire extinguishing means and equipment.
2. Technical risks Defects or poor quality of PV panels; Damage to step-up transformers or overhead or underground cables: Age or wear of equipment; Overload in the PV park: Excessive electricity consumption in the power station; Short circuits in the electrical power lines or in the power distribution panels; Low efficiency, lifespan, and quality of energy equipment; Lack of electricity storage systems; Lack or precariousness of SCADA systems; Lack of or poor cybersecurity programs.	High-quality PV panels; High-quality step-up transformers and underground and overhead electrical cables; High-quality electrical equipment and devices (inverters, meters, etc.) High-quality hybrid electricity storage systems; High-performance SCADA systems; High-quality cybersecurity programs; High-performance and secure hardware and software systems; Analysis of events, incidents, etc.
3. Human risk factors Lack or precariousness of maintenance or repair works; Human errors in the operation or management of the PV system or the electrical networks; Acts of vandalism, theft, or sabotage; Lack of investments; Wrong configuration: PV panels, inverters, transformers, electrical energy evacuation lines; Wrong maneuvers performed by the operational or dispatching staff; Lack of specialized and/or trained operational staff; Lack of communication or precarious communication with DET or DEN; Lack of working procedures during a crisis; Lack/non-compliance/ignorance of national/European procedures in case of serious damage (blackout); Lack of training in the field of risk management; Lack of physical security.	Major investments in national and European critical infrastructure; Predictability (security) of the political system; Accessing European funds regarding the security of European critical infrastructures; Training and advanced training courses for operational, maintenance and security personnel; Analysis of events, incidents, etc.; Control of installations on the operating line and performance of preventive maintenance; Compliance and monitoring of physical security norms Training and advanced training courses for personnel with Critical Infrastructure Protection Management responsibilities; Training personnel in cybersecurity.

.

Following the implementation of risk reduction measures, the results are shown in

Table 11. Risk management.

Risks	Identified	Results After Measurement Implementation
Natural risk factors Storms and extreme weather events: strong winds, torrential rains, heavy snow, hail, and lightning, which can damage electrical systems and equipment in PV fields (PV panels, electrical inverters, electrical meters, electrical transformers, energy storage systems, electrical power evacuation lines); Earthquakes or landslides which can damage electrical and mechanical infrastructure; Extreme temperatures, excessive heat or cold, which can overload the electrical grid or damage PV panels.	1. Very low	1. Very low
	2. Low	2. Low
	3. Medium	3. Medium
	4. High	4. High
	5. Very high	5. Very high
2. Technical risks Defects or poor quality of PV panels; Damage to step-up transformers or overhead or underground cables: Age or wear of equipment; Overload in the PV systems: Excessive electricity consumption in the power station; Short circuits in the electrical power lines or in the power distribution panels; Low efficiency, lifespan, and quality of energy equipment; Lack of electricity storage systems; Lack or precariousness of SCADA systems; Lack of or poor cybersecurity programs.	1. Very low	1. Very low
	2. Low	2. Low
	3. Medium	3. Medium
	4. High	4. High
	5. Very high	5. Very high
3. Human risk factors Lack or precariousness of maintenance or repair works; Human errors in the operation or management of the PV system or the electrical networks; Acts of vandalism, theft, or sabotage; lack of investments; Wrong configuration: PV panels, inverters, transformers, electrical energy evacuation lines; Wrong maneuvers performed by the operational or dispatching staff; Lack of specialized and/or trained operational staff; Lack of communication or precarious communication with DET—Territorial Energy Dispatcher, or DEN—National Energy Dispatcher; Lack of working procedures during a crisis; Lack/non-compliance/ignorance of national/European procedures in case of serious damage (blackout); Lack of training in the field of risk management; Lack of physical security.	1. Very low	1. Very low
	2. Low	2. Low
	3. Medium	3. Medium
	4. High	4. High
	5. Very high	5. Very high

.

3.2.6. Reevaluation of the Consequence Severity

Table 12. Level of severity of the consequences.

Level/Score		The Severity of the Consequences
	1. Very low	The event causes a minor disruption to the activity, without material damage.
	2. Low	The event causes minor property damage and limited disruption to business.
X	3. Medium	Injuries to personnel and/or some loss of equipment, utilities, and delays in service provision.
	4. High	Serious injuries to personnel, significant loss of equipment, facilities, and delays and/or interruption of service provision.
	5. Very high	The consequences are catastrophic resulting in fatalities and serious injuries to personnel, a major loss of equipment, facilities, and services, and interruption of service provision.

presents the severity levels of the consequences following the implementation of risk reduction measures

3.2.7. Risk Level After Application of Mitigation Measures

Table 13. Risk matrix.

P R O B A B I L I T Y	Very high 5
	High 4
	Medium 3			Risk scenario
	Low 2
	Very low 1
	0	Very low 1	Low 2	Medium 3	High 4	Very high 5
Severity/Consequences

Note: Risk is given by the product of the probability of occurrence of a hazard/threat and the severity of its consequences.

presents the risk matrix following the application of mitigation measures.

The calculated risk level following the application of mitigation measures is presented in

Table 14. Calculated risk level.

The calculated risk has the value 9 (probability 3 × severity 3). Therefore, there is a medium risk of the event occurring according to the scenario analyzed.	Calculated Risk Level
	Level	Level
	Very low	Very low
	Low	Low
	Medium	Medium
	High	High
	Very high	Very high

.

4. Addressing PV Systems’ Vulnerabilities to Cyberattacks

4.1. Specific Cyber Threats in PV Systems

Industrial and utility-scale PV systems are increasingly exposed to a sophisticated and broad range of cyber threats due to their growing connectivity and reliance on digital technologies. One of the most prevalent risks is unauthorized remote access, where attackers exploit weak or default credentials in inverters, SCADA devices, or Energy Management Systems (EMSs). Misconfigured VPNs or remote desktop services often serve as easy entry points into core components, enabling attackers to disrupt or take control of operations [38].

Malware and ransomware pose additional threats by targeting operator workstations, SCADA servers, or communication gateways. Ransomware can encrypt critical control software, stopping energy generation and disabling real-time monitoring. Likewise, denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks can overwhelm smart inverters and gateways, compromising availability and remote-control functions [39].

SCADA and HMI platforms are particularly vulnerable due to known software weaknesses. Exploits against platforms like SIMATIC WinCC OA can lead to data corruption or system shutdowns. These risks are compounded by spoofing attacks that inject false sensor data—such as manipulated irradiance or production values—causing inappropriate system responses like unnecessary shutdowns or output fluctuations [40].

Compromised third-party software or firmware can introduce backdoors into devices like inverters and controllers. Additionally, unsecure communication protocols (e.g., Modbus, DNP3, SunSpec), lacking encryption or authentication are susceptible to man-in-the-middle (MITM) or replay attacks, allowing attackers to intercept or manipulate critical data flows [41].

Internal threats, whether malicious or accidental, further complicate security. Personnel or contractors may unintentionally share credentials, disable safeguards, or expose sensitive configuration files. Meanwhile, the rise of cloud-based monitoring platforms and mobile/web APIs creates new attack vectors, particularly if interfaces are poorly secured or misconfigured.

Firmware vulnerabilities represent a hidden but serious threat. Exploiting bugs in inverter or battery management system firmware can grant attackers low-level device access, potentially leading to physical damage or cascading failures across the grid. Given that PV systems use standard IT infrastructure and internet-based tools for tasks like revenue metering, condition monitoring, remote diagnostics, and virtual power plant control, the integration of these systems into the internet introduces considerable cybersecurity risks.

Cyber threats to PV systems include financial theft or redirection, unauthorized access to sensitive information, and operational disruptions caused by ransomware or remote manipulation. Attackers may exploit insecure control messages, phishing campaigns, or spoofing techniques to gain initial access and escalate privileges, potentially jeopardizing grid stability or safety.

Even if cyberattacks do not cause physical damage at once, their impact can extend to the broader electric grid—especially given that legacy systems were not designed for variable generation or bidirectional power flow. Threat actors range from opportunistic hackers exploiting known vulnerabilities to sophisticated adversaries pursuing financial gain, reputational harm, or strategic disruption. Some actors engage in corporate espionage to extract intellectual property or sensitive business data, while more advanced threats, possibly state-sponsored, aim to weaponize distributed energy resources (DERs) by progressing through multiple attack stages: infiltration, escalation, data collection, exfiltration, and command-and-control [42].

As legacy infrastructure struggles to function with evolving threats, emerging technologies offer new defense opportunities. Innovations such as cloud security platforms, edge computing, 5G with network slicing, and quantum computing enhance resilience. Quantum technologies, in particular, offer tamper-evident communication and truly random number generation, while machine learning (ML) has the capability to improve fast threat detection.

Given the integration of PV systems into modern energy infrastructure, their digital nature makes them a high-value target. This is heightened by the dominance of a few countries in PV hardware manufacturing, raising concerns over potential embedded vulnerabilities or backdoors. The growing number of small-scale systems also expands the attack surface, complicating centralized cybersecurity management and emphasizing the need for a coordinated and proactive defense strategy [43].

4.2. PV Key Components Vulnerable to Cyberattacks

In PV systems, there are vulnerabilities in every hardware, software, and communication layer, each of which is a potential entry point for cyberattacks.

Hardware components such as inverters, energy meters, controllers, and gateways are often installed in remote or physically accessible locations. Physical accessibility may allow direct manipulation, incorrect setup, or even hardware replacement. Most inverters contain firmware that includes no secure boot operations and therefore are susceptible to code injection. Hardware security modules and the presence of default credentials can lead to the theft of cryptographic keys or unauthorized control function access.

Software vulnerabilities are of particular concern for SCADA systems, local controllers, and web-based monitoring stations. Most of the PV management software is based on legacy software that is never or rarely patched or updated, leaving it vulnerable to the exploitation of known vulnerabilities. Insecure authentication mechanisms, hardcoded credentials, and insecure APIs also compromise the platforms, potentially allowing attackers to take unauthorized control or manipulate business data. Remote code execution and data manipulation could, in other cases, be caused by unvalidated user inputs within interfaces through injection attacks. Cloud services used for remote monitoring can also expose information if APIs are not properly secured or if access logs and alerts are not being closely monitored.

Communication protocols used in PV systems are another major vulnerability. These protocols are designed mostly for functionality and do not typically include encryption or authentication features. This allows interception and data manipulation in a straightforward manner via MITM or replay attacks. Even more advanced protocols, like IEC 61850, can be broken if they are poorly configured or installed without robust key and certificate management practices. The use of insecure communication media, such as open HTTP or Telnet sessions, also enhances the risk factor, especially where remote access or wireless backhaul connections are concerned. Poor segmentation among networks also makes it possible for attackers to laterally move around the PV infrastructure after gaining initial access.

The key components of a solar PV system that are possibly vulnerable to cyber threats are presented in Figure 9.

Inverters are crucial components in PV systems that convert DC produced by solar panels into AC. Unauthorized access can disrupt energy production and potentially damage equipment. Their vulnerabilities to cyber threats are weak authentication and access control, insecure communication protocols, and firmware vulnerabilities. Inverters with default or weak passwords can be easily accessed by cybercriminals. The use of unsecured communication protocols for remote monitoring and control makes them susceptible to eavesdropping or manipulation. Products with outdated or unpatched firmware can have vulnerabilities that may be exploited by attackers [43].

Monitoring and Control Systems (MCSs) allow us to remotely monitor the performance of the PV system and permit operators to control the operation of inverters, storage systems, and other components. Cyber actors can hijack these devices, leading to data breaches or manipulation of system operations. Their vulnerabilities to cyber threats are remote access, data manipulation, and inadequate encryption.

Secured remote access (e.g., via VPN, secure shell—SSH) can prevent forbidden attackers from compromising the system. A lack of secured access would allow attackers to manipulate data, leading to incorrect system analysis or false alarms. A lack of encryption during the transmission of sensitive data (e.g., performance metrics, financial data) can lead to data breaches. Unauthorized access could lead to operational disruptions [43].

EMSs manage the flow of energy within a PV system and between the PV system and the grid, optimizing energy production and storage. Their vulnerabilities to cyber threats are poorly configured security settings, the lack of real-time monitoring, and the unpatched software. EMSs often control critical system processes, making them a high-value target for attackers. Insufficient monitoring can allow cyber intrusions to go unnoticed for extended periods. Vulnerabilities in EMS software can be exploited if it is not regularly updated or patched; therefore, attackers can manipulate energy distribution, potentially causing financial loss or destabilization of the grid.

Smart meters and IoT devices (SM&IoTDs) that monitor energy usage, production, and system health are frequently used in residential and commercial PV systems. Their vulnerabilities to cyber threats are weak authentication, insecure communication, and the lack of regular updates. IoT devices usually have weak or hardcoded passwords, making them easy targets for attackers; therefore, many devices communicate over unsecured protocols, allowing attackers to intercept and manipulate data. Also, many IoT devices are not regularly updated, leaving them exposed to known exploits. The compromised devices could lead to unauthorized access, data leakage, or even the manipulation of energy data.

Data storage and cloud systems (DS&CS) often store the performance data and financial information for analysis and reporting. Their vulnerabilities to cyber threats are data breaches, unsecured APIs, and weak access controls. Sensitive data stored in the cloud are a potential target for cybercriminals, especially if not properly encrypted. The cloud systems that use APIs for remote access can be vulnerable to attack if those APIs are not properly secured. Insufficient access control mechanisms for cloud-based systems can allow unauthorized users to access sensitive data; thus, a breach could lead to the loss of proprietary data, financial information, or manipulation of performance data, potentially damaging the PV system operator’s business reputation.

Networks that connect all the components of the PV system (e.g., inverters, sensors, monitoring platforms) are based on wireless or wired networks. Their vulnerabilities to cyber threats are unencrypted data transmission, insecure wireless networks, and exposed ports. When the transmission between devices and the monitoring platform is not encrypted, attackers could intercept or manipulate data. Wireless communication channels, such as Wi-Fi, Bluetooth Low Energy (BLE), or cellular connections, can be vulnerable to eavesdropping or man-in-the-middle (MITM) attacks. Also, open ports on devices that are part of the communication network can serve as entry points for cyber attackers. Hence, data interception or system control could allow cybercriminals to manipulate the functioning of the PV system.

Grid integration systems (GISs) interface the PV systems with the larger electricity grid, enabling full duplex communication and ensuring the stability of the grid when integrating solar energy. Their vulnerabilities to cyber threats are grid communication and lack of isolation. Insecure communication with grid management systems (e.g., SCADA) could allow attackers to inject malicious commands or manipulate grid operations and insufficient isolation between the PV system and grid control systems increases the risk of cyberattacks spreading. Compromised grid integration could destabilize the electricity grid, disrupt energy flow, and cause financial loss due to system downtime.

4.3. A Brief Literature Review on Cyber Threats and Security Solutions in PV Systems

The scientific literature has extensively examined the vulnerabilities of PV systems, particularly concerning the cybersecurity threats. PV systems are vulnerable to cyberattacks that compromise data integrity and exploit software weaknesses. Such attacks can disrupt operations and compromise system reliability [44]. Integrating the remote monitoring and control applications in PV systems introduces potential cyberattack vectors. Ensuring the confidentiality, integrity, and availability (CIA) of data in these applications is crucial to maintaining system security [45].

Potential-Induced Degradation (PID) is a phenomenon, where high voltage stress causes performance degradation in PV modules, leading to a loss of power of up to 30%. Factors such as system voltage, temperature, and humidity can accelerate PID, affecting the longevity and efficiency of PV systems [46]. Studies identified potential vulnerabilities in distributed inverter VAR (voltage-ampere reactive) control within PV-integrated distribution networks. Cyberattacks exploiting these weaknesses can disrupt voltage regulation and destabilize the power grid [47]. ML-based Intrusion Detection research indicates that ML techniques can effectively detect hidden cyberattacks on PV systems. By analyzing aggregated measurements, these methods can identify anomalies even when attackers manipulate individual system data to remain undetected [48].

In 2020, a study analyzed the impact of cyberattacks on smart grid distribution with a high penetration of PV resources. The research identified potential attack strategies, such as power injection attacks, which could destabilize the grid and disrupt PV system operations [49]. A study published in 2022 highlighted vulnerabilities in EMSs used in PV systems. Weak authentication and insecure communication protocols were identified as potential entry points for cyberattacks, which could lead to unauthorized control over energy distribution and consumption [50]. Cybersecurity experts identified vulnerabilities in the firmware of certain solar inverters. These flaws could have been exploited to disrupt communication between inverters and monitoring systems, potentially compromising the entire solar PV installation [51,52]. Research in 2022 examined the cybersecurity challenges associated with DER, including PV systems. The study found that the interconnected nature of these resources increases the attack surface, making them susceptible to various cyber threats [53].

In the paper “Cyber Security Risk Assessment of Solar PV Units with Reactive Power Control Capabilities,” the impact of cyberattacks on voltage regulation in distribution grids with PV units is investigated. It highlights how malicious actors can exploit vulnerabilities in reactive power control to destabilize the grid [37]. The papers [54,55] present potential cyberattacks on PV systems, including scenarios where attackers could falsify power generation data by spoofing sensor inputs to the PV inverter. Such manipulations can lead to incorrect power output readings and impact grid stability. The study [56] analyzes security oversights in distributed energy resources, including PV systems, and discusses how protocol and device-level vulnerabilities can lead to cyberattacks affecting power system operations. The work in [57] provides an overview of the cybersecurity challenges associated with PV systems, highlighting their vulnerability to anomalies and cyber threats, where the urgency of implementing robust cybersecurity measures to protect the integrity and reliability of PV systems is underlined. The research explores how the integration of solar PV affects the vulnerability of power grids to cyberattacks. It examines potential attack scenarios and their impacts, providing insights into securing distributed generation assets against cyber threats. Several cybersecurity methods have been developed to shield grid-connected PV systems from evolving cyber threats [54]. There are two large categories into which these methods fall: model-based and data-based approaches [58].

Model-based approaches use analytical models to identify anomalies as well as threats. A study has been conducted presenting a quantitative threat analysis framework that uses semantic web technologies to systematically investigate potential attack vectors targeting emerging power generation facilities, such as PV power plants, from multiple dimensions [59]. A robust control framework for AC microgrids based on Kullback-Leibler divergence, aiming to neutralize data-driven attacks, has been presented. A physics-data-driven method utilizing power electronics-based harmonic state space models to detect multiple types of cyberattacks in PV farms with guaranteed detection and precise attack source localization was investigated by Zhang et al. [60].

A defense mechanism with dynamic watermarking has been introduced to identify cyber anomalies in microgrids with a high percentage of renewable energy. Its effectiveness has been proven via simulation in an actual microgrid [61]. A dynamic loop wide-area damping control scheme to enhance the robustness of power systems against detectable and stealth cyberattacks has been proposed [62]. A cross-layer control mechanism to improve the resilience of microgrids against DoS and False Data Injection (FDI) attacks has also been presented. The authors tested the stability and efficiency of this mechanism via simulation experiments [63].

Dynamics-based methods use models to detect and mitigate cyberattacks on PV plants; however, it is challenging to construct accurate models for large PV systems as they are dynamic and complex. Data-driven cybersecurity measures in PV systems utilize past data to design predictive models and identify anomalies. Through statistical techniques and ML models, they analyze system performance, transmission patterns, and operational behavior using data previously acquired.

Using big data is highly attractive for large-capacity PV power plants, where it might not be convenient to design accurate analytical models. Certain data-driven cybersecurity methods targeting PV systems have been introduced in recent years. One uses Parametric Time-Frequency Logic (PTFL) to detect anomalies like FDI attacks, DoS attacks, and malfunctioning of power electronics devices under microgrid scenarios through controller/hardware-in-the-loop simulations [64]. Another approach uses synchro-phasor measurements along with network packet characteristics to construct cyber–physical anomaly-based Intrusion Detection Systems (IDSs) such that remedial actions can be implemented [65]. Additionally, significant research has examined the detection and diagnosis of cyberattacks on PV arrays by time-frequency domain characteristics, enabling discrimination between normal operation modes, open-circuit and short-circuit faults, and malicious cyber activity [66].

Apart from the above, several studies have focused on cybersecurity strategies for PV systems. These studies contribute to improving the cybersecurity of PV systems to make them stable and resilient against potential cyberattacks [67].

4.4. Cyber Incidents in Solar PV Systems

Several recent real-world cases have revealed both cybersecurity vulnerabilities and actual incidents of cyberattacks and security breaches in PV systems, prompting targeted mitigation efforts.

In May 2024, researchers at Bitdefender found a series of critical vulnerabilities in the PV plant management platforms operated by Solarman and Deye. The platforms oversee the production activities of millions of solar installations worldwide, accounting for approximately 195 GW of solar power (roughly 20% of the global solar production) [68]. If exploited, these vulnerabilities would allow attackers to change inverter settings, which could take portions of the electrical grid offline, and increase the risk of damage. These vulnerabilities were disclosed to the systems’ vendors and have been patched [68].

Because of a hijacking attack, remote-monitoring devices for PV systems were compromised in Japan (2024), highlighting vulnerabilities in solar PV power infrastructure. This incident underscored the potential for attackers to disrupt operations or gather sensitive data from compromised systems [69].

U.S. electrical utilities experienced a 70% increase in cyberattacks, with many incidents targeting renewable energy components, including PV systems. These attacks aimed to disrupt power generation and compromise grid stability [70]. The FBI issued a warning about potential cyberattacks on the renewable energy sector, emphasizing that hackers could disrupt operations, steal intellectual property, or hold critical information for ransom. This alert highlighted the increasing interest of cybercriminals in exploiting vulnerabilities within PV systems [71].

The Nordic utility company Fortum reported daily cyberattacks and occasional drone surveillance targeting its power assets, including PV systems, in Finland and Sweden. These incidents reflect the growing threats to energy infrastructure in the region [72].

White-hat hackers in the Netherlands exposed vulnerabilities in PV systems, highlighting their susceptibility to cyberattacks [73]. The Dutch hackers successfully gained control over millions of solar panel systems by exploiting a “backdoor” in the inverters. These inverters, often connected to the internet for monitoring and management purposes, were found to be easily accessible to unauthorized users [74].

These events have prompted the European solar industry to advocate for more rigorous security assessments, especially as it seeks to strengthen its position against dominant global players like China.

4.5. Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) in PV Systems

To identify some of the known vulnerabilities related to the main parts of the PV solar systems (inverters, MCS, EMS, smart meters and IoT devices, data storage and cloud systems, communication networks, and grid integration systems), we used the public sources of the National Vulnerability Database (NVD) [75] and MITRE [76]. These sources host reported CVEs (in software and firmware components), with the related CWE, offering a reliable representation of known issues within software systems. Given the lack of specific releases concerning PV system-related vulnerabilities, our data collection process involved performing an up-to-date keyword-based search within these databases and then filtering the results, as we aimed to identify some of those that are relevant to PV systems [77].

The most recent notified vulnerability is CVE-2025-24865. On the 13th of February 2025, the US National Coordinator for Critical Infrastructure Security and Resilience [78] published an alert (code ICSA-25-044-16) and then DNSC (on 19 February 2025) [79] released the alert regarding critical cybersecurity vulnerability (CVE-2025-24865) identified at the level of some mySCADA products also used in the PV infrastructure. mySCADA and its component myPRO Manager are utilized in industrial systems for monitoring and control purposes. mySCADA provides a comprehensive SCADA solution designed to monitor the performance, efficiency, and status of solar power plants and other industrial applications. mySCADA offers a professional HMI/SCADA system designed for real-time visualization and management of industrial processes, including those in the power and energy sectors. MyPRO Manager serves as a tool within the mySCADA suite that allows users to license the mySCADA PRO V.9 software, manage deployments, and switch between different versions of mySCADA PRO. It also facilitates the setup of SMTP (Simple Mail Transfer Protocol) for notifications, enhancing the operational efficiency of PV systems by providing seamless management and monitoring capabilities [80]. There are vulnerabilities identified in certain versions of mySCADA products. For instance, versions of myPRO Manager before 1.3 and myPRO Runtime before 9.2.1 were found to have vulnerabilities that could allow remote attackers to execute arbitrary commands or disclose sensitive information. The Common Vulnerability Scoring System CVSS 3.1 vulnerability’s score is 10 of 10 (critical). The attack complexity is low, and CIA is all high, with no privileges required.

The CVSS assigns a numerical value (base score) to indicate the severity of a vulnerability. This score ranges from 0 to 10, with higher scores representing more severe vulnerabilities. The severity levels are categorized as in

Table 15. Severity levels.

Score	Range		Severity
	From	To
None	0	0
Low	0.1	3.9
Medium	4.0	6.9
High	7.0	8.9
Critical	9.0	10

[81].

CVE-2025-24865 is a vulnerability affecting the administrative web interface of mySCADA myPRO Manager. The interface can be accessed without requiring authentication, making it possible for unauthorized attackers to gain access and retrieve sensitive information. Furthermore, they can upload files without the need for a password, posing a significant security risk. This vulnerability could potentially allow attackers to launch further attacks or steal confidential data.

Organizations using mySCADA myPRO Manager are advised to apply the necessary patches or updates to mitigate this risk. An attacker who exploits this vulnerability can access the administration interface without authentication, view and exfiltrate sensitive data, upload malicious files to the system, and/or also compromise the security of the entire mySCADA infrastructure [80]. Users are advised to update to the latest versions to mitigate these risks.

In the CVE-2025-24865 vulnerability, there are four weaknesses:

• Weakness ID: CWE-78—There is an improper neutralization of special elements used in an Operating System Command Injection (OSCI).

The product constructs a complete or part of an operating system (OS) command out of externally controllable input received from an upstream component. But it does not properly sanitize or remove special characters that can be used to change the intended action of the command when passed on to a downstream component. This makes the product vulnerable to OSCI, which allows an attacker to inject arbitrary OS commands with potentially escalated privileges. A conceptual representation is presented in Figure 10 [81].

The base score of CVSS v3.1 is 9.8 according to [82]. A CVSS v4 score has also been calculated, and the base score is 9.3 (critical) according to [83]. This vulnerability is caused by this weakness when the attacker does not have direct access to the OS, or, if the weakness occurs within a privileged program, it may enable an attacker to execute commands that would otherwise be inaccessible, or invoke other processes with elevated privileges beyond their authorization. The risk is significantly heightened when the targeted application fails to adhere to the principle of least privilege, as attacker-controlled commands could then be executed with system-level permissions, greatly amplifying the potential impact of the attack [81].

2.

Weakness ID: CWE-306—Missing authentication for critical function (MACF).

A CVSS v3.1 base score of 10.0 has been classified as critical, calculated according to [84]. As per the CVSS vector string [85], its base score is calculated as critical with the score 10.0. The technical impact can be gaining privileges or assuming identity by the attacker, since the product does not verify any functionality that requires a verifiable user identity or consumes a significant number of resources (Figure 11).

Depending on the associated functionality, the effect differs but can extend from reading/modifying sensitive data, accessing administrative or other privileged functionality, or even executing arbitrary code.

3.

Weakness ID: CWE-312—Cleartext storage of sensitive information (CSSI).

The product that is affected stores credentials in cleartext, allowing an attacker to gain sensitive information. Since data are stored in cleartext (i.e., not encoded), attackers can potentially read the data. Although the data could be encoded to make them invisible to humans, some techniques will determine what encoding is being applied, then break the data back out. It can be easier for attackers when organizations deploy cloud services to access the data anywhere on the Internet. In some environments (such as cloud), double encryption (software and hardware) may be necessary, and the developer might have exclusive responsibility for both, not shared responsibility with the administrator of the broader environment [81].

4.

Weakness ID: CWE-352—Cross-Site Request Forgery (CSRF).

The exposed product is vulnerable to CSRF, which can permit an attacker to steal sensitive information. The attacker can trick the victim into visiting a site controlled by the attacker. The technical impact is gaining privileges or assuming an identity. The effect varies depending on what kind of functionality is exposed to CSRF. The attacker would be able to perform any action on the victim’s behalf. If the victim is an administrator or a user with privileges, the effect may be gaining complete control of the web application—stealing or destroying data, removing the product, or employing it to mount other attacks on every one of the product’s users. As the attacker has the victim’s identity, the scope of CSRF is only limited by the victim’s privileges [81].

A complete image of the CVE-2025-24865 is presented in Figure 12.

CVSS v3.1 was released in 2019 as a continuation of version 3.0. It was a significant revision of the CVSS standard to provide a more accurate and easier-to-understand risk assessment of vulnerabilities. Its components are (i) base score (evaluates the overall impact of a vulnerability on a system and how it could be exploited by an attacker. Factors like exploit complexity, required access level, and impact on confidentiality, integrity, and availability are considered), (ii) temporal score (reflects short-term changes to a vulnerability, such as the availability of a public exploit or the presence of a patch), (iii) environmental score (based on factors specific to an organization, such as existing protections and the impact on the system or IT environment). The final score generates a numerical score between 0 and 10, where 0 represents a very low vulnerability and 10 indicates a very severe vulnerability [81].

CVSS v4 is a newly developing version aimed at addressing some of the perceived limitations of version 3.1. Its primary goal is to improve vulnerability scoring and adapt to the new security challenges, including the complexity of modern technological environments. The proposed components (i) enhanced flexibility (include updates to allow for more precise assessments of the impact on distributed systems, cloud systems, and complex infrastructures), (ii) more detailed scoring (additional options to reflect more scenarios and security aspects, such as industrial control systems, IoT, and others), (iii) improved temporal and environmental scoring (better reflection of vulnerabilities’ evolution over time and the ability to add more details about environmental risks and external infrastructure). The final score provides a score between 0 and 10, but with a more detailed methodology to assess the impact and likelihood of exploitation for vulnerabilities [81]. CVSS v3.1 is still the globally used standard for evaluating vulnerabilities, and v4 is under development to address new challenges [81].

As illustrated in

Table 16. A reverse chronological order presentation of weaknesses noticed in CVE.

Year	CWE	Explanation	CVE	Base Score	CVSS Severity
2025	306	MACF	CVE-2025-24865	10	critical
	312	CSSI
	352	CSRF
	78	Improper neutralization of special elements used in an OS command (OSCI)
2022	603	Use of client-side authentication	CVE-2022-33139	9.8	critical
	287	Improper authentication—SCADA system only uses client-side authentication, allowing adversaries to impersonate other users
2019	521	Weak password requirements	CVE-2019-7676	7.2	high
	79	Improper neutralization of input during web page generation (‘cross-site scripting’ XSS)	CVE-2019-7677	6.1	medium
	22	Improper limitation of a pathname to a restricted directory (‘path traversal’)	CVE-2019-7678	9.8	critical
			CVE-2019-19229	6.5	medium
	312	CSSI	CVE-2019-19228	9.8	critical
2018	200	Exposure of sensitive information to an unauthorized actor	CVE-2018-12735	7.5	high
			CVE-2018-12927	7.5	high
2017	noinfo	Insufficient information	CVE-2017-9851	7.5	high
			CVE-2017-9864	7.5	high
	798	Use of hardcoded credentials	CVE-2017-9852	9.8	critical
	521	Weak password requirements—allows brute-force attacks on the password	CVE-2017-9853	9.8	critical
	311	Missing encryption of sensitive data—lack of encryption compromises CIA	CVE-2017-9854	9.8	critical
	311	Incorrect authorization	CVE-2017-9855	9.8	critical
	256	Plaintext storage of a password—storing a password in plaintext may result in a system compromise	CVE-2017-9856	3.4	low
	287	Improper authentication	CVE-2017-9857	8.1	high
			CVE-2017-9860	9.8	critical
	200	Exposure of sensitive information to an unauthorized actor	CVE-2017-9858	7.5	high
			CVE-2017-9862	7.5	high
	327	Use of a broken or risky cryptographic algorithm	CVE-2017-9859	9.8	critical
	74	Improper neutralization of special elements in output used by a downstream component (‘injection’)	CVE-2017-9861	9.8	critical
	352	CSRF	CVE-2017-9863	8.8	high
2012	89	Improper neutralization of special elements used in an SQL command	CVE-2012-5861	7.5	high
	310	Cryptographic issues	CVE-2012-5862	-	high
	264	Permissions, privileges, and access control	CVE-2012-5863	-	high

, the cybersecurity landscape of PV systems has faced a series of documented incidents since 2012.

The year 2022 brought attention to CVE-2022-33139, affecting Siemens’ Cerberus DMS, Desigo CC, and SIMATIC WinCC OA platforms. These systems, widely used in building and energy management—including large-scale PV farms—were found to rely on client-side authentication unless explicitly configured otherwise. Without server-side authentication or Kerberos, these platforms allowed attackers to impersonate users or manipulate communication flows, severely compromising system trust.

In 2019, vulnerabilities in Enphase and Fronius inverters (e.g., CVE-7676, CVE-7677, CVE-7678, CVE-19228, CVE-19229) revealed improper access control and input validation flaws. These included command injection, directory traversal, and exposure of sensitive files, all of which could be exploited via network ports (e.g., TCP 8888). Similar to earlier cases, the reliance on insecure configuration and failure to protect internal paths and files underscored poor implementation of basic security controls.

A significant cluster of vulnerabilities was reported in 2017, notably in SMA Solar Technology’s inverter products. CVEs 9851 to 9864 exposed a broad attack surface, including hardcoded credentials, default password use, weak cryptographic algorithms, insecure communication protocols (e.g., SIP), and a lack of proper authentication and authorization. These weaknesses (mapped to CWE-798, CWE-521, CWE-287, CWE-311, and CWE-200) allowed attackers to bypass security checks, intercept sensitive data, inject malicious firmware, and fully compromise device integrity. Many of these issues were rooted in weak password policies, deterministic authentication codes (e.g., Grid Guard), and a failure to implement encrypted communication.

The earliest reported vulnerabilities, dating back to 2012, targeted the Sinapsi eSolar Light and Schneider Electric’s Ezylog SCADA systems. These included high-severity SQL injection flaws (CVE-2012-5861) and improper authentication (CVE-2012-5862, CVE-2012-5863), which enabled remote attackers to obtain administrative privileges and execute arbitrary commands. These vulnerabilities were primarily due to insufficient input sanitization and the lack of authentication mechanisms.

The analysis of reported CVEs from 2012 to 2022 highlights recurring weaknesses in both system design and implementation, affecting software, firmware, hardware, and communication protocols across several manufacturers and platforms.

According to the findings above, an analysis filling the gap between current protection levels and standards (e.g., ISO/IEC 27001:2022 [7], NIST CSF 2.0/2024 guidelines [86], EU Directive 2022/2555 [87], also known as NIS2 Directive, and OUG 155/2024 [8]) and the status of current implementation with the recommended actions is presented in

Table 17. Gap analysis.

Control Area	Control Requirement	Standard Reference	Current Implementation Status	Gap Description	Risk Level	Recommended Action
Access Control (AC)	Implement MFA for remote access	ISO 27001 A.9.4.2/NIST PR.AC-7	Not implemented	Remote access protected only by username/password	High	Implement MFA using tokens or authenticator apps
Asset Management(AM)	Maintain an up-to-date asset inventory	ISO 27001 A.8.1.1/NIST ID.AM-1	Partially imple- mented	No centralized inventory of PV components	Medium	Deploy asset management system and conduct full inventory
Incident Response (IR)	Establish an incident response plan (IRP) and test it regularly	ISO 27001 A.16.1.1/NIST RS.RP-1	Not implemented	No formal plan for responding to cyber incidents	High	Develop and regularly test an IRP

.

Table 17 is a structured tool to determine how well an organization’s cybersecurity practices meet industry standards (ISO/IEC 27001:2022 [7] and NIST Cybersecurity Framework (CSF) SP 800-37 Revision 2 (2018) [86]). Every row specifies a control area (AC, AM, IR), control requirement, and official standard reference for traceability. NIST PR.AC-7 (users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction) is part of the NIST CSF specifically the Function: Protect (PR) and the Category: Access Control (AC). NIST ID.AM-1 is part of the NIST CSF, specifically under the Function: Identify (ID) and the Category: Asset Management (AM). NIST RS.RP-1 (response plan executed during or after an incident) is part of the NIST CSF under the Function: Respond (RS) and the Category: Response Planning (RP).

The table documents the current implementation status, defines the precise gap, evaluates the associated risk level (e.g., high or medium), and recommends realistic actions to address each issue. The absence of MFA on remote access is a high-risk exposure, with the solution being the establishment of MFA through secure means. Similarly, the lack of a centralized inventory of PV components and the lack of an incident response plan are identified as high-severity weaknesses with tailored recommendations. This table is helpful to guide risk-based decision-making, prioritize resource allocation, support audits, and promote the continuous improvement of cybersecurity posture. The vulnerabilities reported across this decade demonstrate a consistent pattern: insecure default configurations, lack of authentication, weak or absent encryption, and a failure to follow secure software development principles [86].

5. Strategies for Cyber Threats Mitigation in Solar PV Systems

5.1. Cybersecurity Risk Management in PV Systems

Risk management is a structured and ongoing process attempting to identify, assess, and mitigate risks to reduce the impact of threats and vulnerabilities against an organization. While risks cannot be prevented, they can be brought under control to manageable levels by balancing the probable impact of a threat against the control cost. Importantly, the cost of a control should never be greater than the worth of the asset to be protected. The risk management process involves the key steps presented in

Table 18. Risk management process table.

Step	Description	Explanation/Methods
Framing the Risk	Defining threats that give rise to overall risk	Threats may arise due to - Flawed processes; - Insecure products; - Cyberattacks; - Disruption of services; - Legal exposure; - Loss of confidential intellectual property.
Assessing the Risk	Consider the severity of each threat identified	Quantitative assessment (e.g., financial loss) and/or qualitative assessment (e.g., impact on operations).
Responding to the Risk	Reduce exposure to the risks	Each risk needs to be eliminated, decreased, transferred, or accepted based on its assessed impact and available resources.
Planning for Incident Response	Developing and keeping incident response plans, defining roles, responsibilities, and procedures in clear terms	Conducting simulations and drills optimizes organizational preparedness.
Risk Monitoring	Risk management is continuous	Risks must still be monitored, and any remaining (accepted) risk should be monitored carefully to ensure that it remains acceptable.

.

Cybersecurity threats specific to solar PV systems require innovative defense strategies. To address these challenges, the integration of advanced technologies such as artificial intelligence (AI) and ML is essential. These emerging technologies offer new opportunities to enhance the security of PV infrastructures. By analyzing vast volumes of data, AI and ML can detect patterns and anomalies that may indicate an impending cyberattack, enabling timely and proactive countermeasures [88].

5.2. Security Policy for PV Systems

The purpose of a security policy (SP) for PV systems is to establish a framework for protecting PV systems against cyber threats, physical security risks, and operational disruptions. This policy ensures compliance with Romanian energy regulations (ANRE, GDPR, application of NIS2 Directive by OUG 155/2024) and international security standards (ISO/IEC 27001:2022 [7], ISO 31000:2018 [35], IEC 62443:2020 [89], IEEE 1547.3:2023) [90]. Additionally, it aligns with the Industrial Solar Alliance, launched by the European Commission in December 2022, which aims to develop an autonomous and resilient European solar supply chain. This initiative targeted a 30 GW manufacturing capacity by the end of 2025, supporting EU-based production of modules, ingots, wafers, and related technologies to meet both domestic and international demands. The Alliance also focuses on diversifying raw materials sourcing and promoting research and innovation to strengthen Europe’s PV industry.

This policy should apply to the following:

• All PV systems’ assets (solar panels, inverters, SCADA systems, monitoring platforms, sensors, and network infrastructure);
• Personnel (employees, contractors, and third-party service providers handling PV operations);
• Data security (grid connectivity, energy production data, remote monitoring, and communication channels).

The SP objectives are to ensure the CIA of PV systems, prevent unauthorized access to control systems (SCADA, inverters), mitigate cyber threats (malware, phishing, DDoS attacks, ransomware), protect against physical security risks (theft, vandalism, weather damage), ensure compliance with legal and regulatory frameworks, and align with EU strategies to enhance solar PV supply chain security and resilience.

Cybersecurity policy states to access control and authentication, network security patch management and system hardening, and incident response and recovery. All access to PV MCS must be role-based (RBAC), and the MFA for SCADA, remote access, and administrative accounts must be implemented. Also, the least privilege principle must be used for employees who should have access only to the systems required for their job. Regular revision and users’ access rights must be compulsory. Also, the use of firewalls and VPNs for remote access, deployment of IDS and Intrusion Prevention Systems (IPS), and application of encryption (Transport Layer Security—TLS, VPNs) for data communication between PV systems should be enforced. IDS/IPS systems vigilantly monitor the activity of the PV system and also in networks, observing behavior patterns and outliers to discover real-time suspected attacks. With early discovery, PV system managers can respond immediately to reduce destruction and safeguard vital operations. Even so, in the absence of stringent security features like firewalls and encryption, PV systems invite malicious attacks, while vulnerable security systems with protected data leave room for cyberattacks, thereby causing a potential disruption to their activities [91,92].

All software and firmware must be regularly updated. Unused ports and services on SCADA and IoT devices must be disabled. Endpoint security solutions (antivirus, anti-malware, Endpoint Detection and Response—EDR) should be implemented [93].

An IRP for cyber and physical threats must be maintained up-to-date. Cybersecurity drills and penetration tests must be conducted every 6 months. Backup and disaster recovery procedures should be applied regularly.

Physical security policy mentions the perimeter security and asset protection to achieve the following:

• Install fencing, gates, and surveillance cameras (CCTV) around PV farms;
• Use motion sensors and intrusion alarms for unauthorized access detection;
• Maintain security patrols in high-risk areas;
• GPS tracking on high-value assets (inverters, transformers);
• Lightning protection systems for weather-related risks;
• Fire detection and suppression systems at critical sites.

Operational security policy consists of data protection and compliance, and employee training and awareness by achieving the following:

• Encrypt energy production data before transmission;
• Ensure compliance with GDPR for personal data collected from monitoring systems;
• Store logs and audit trails for at least 1 year for forensic analysis;
• Conduct mandatory security training for all employees and contractors;
• Simulated phishing tests to improve awareness;
• Strict onboarding and offboarding procedures for access control.

In response to the growing exposure of European infrastructure to cyberattacks, Directive 2022/2555 (commonly known as NIS2) was adopted, replacing its predecessor, Directive 2016/1148 (NIS1). With NIS2, the ambition of EU cybersecurity increases through an expansion of scope, more defined rules, and stricter supervision measures. It encourages all EU Member States to strengthen their cybersecurity capabilities through the introduction of risk management and reporting obligations on organizations across various sectors, and also establishes requirements on cooperation, exchange of information, oversight, and enforcement of cybersecurity practices [93].

5.3. Compulsory Security Measures

As PV systems become more integral to energy infrastructure, addressing these cyber threats is crucial to maintaining their reliability and safety. The key main strategies are (i) robust cybersecurity measures (strong encryption, regular software updates, and IDS to protect from unauthorized access and attacks), (ii) supply chain vigilance (acquiring main components from reputable manufacturers with transparent security practices can reduce the risk of embedded vulnerabilities), (iii) regulatory compliance (adhering to established cybersecurity standards and guidelines can enhance the resilience of PV systems against potential threats) [93].

PV systems are increasingly vulnerable to cybersecurity threats as they become more connected and automated. The key components of a PV system can be exploited if not properly secured.

To protect PV systems from cyber threats, operators should consider several compulsory security measures:

• Ensuring that all software and firmware in the system are up to date by regular updates and patch management;
• The use of MFA and enforce strong passwords for remote access to devices and control systems for a strong authentication;
• Encrypting data both at rest and during transmission to protect sensitive information.
• Isolate critical components (e.g., inverters, EMS) from less critical systems to reduce the attack surface using the network segmentation principle;
• Deploy IDS to monitor any unusual activity and potential cyberattacks in real time;
• Secure physical assets with locks, surveillance cameras, and restricted access areas to prevent tampering;
• Ensuring that PV components are sourced from reputable manufacturers with transparent security practices can reduce the risk of embedded vulnerabilities as part of a strong supply chain vigilance;
• Adhering to established cybersecurity standards and guidelines can enhance the resilience of PV systems against potential threats.

5.4. Cybersecurity Capability Maturity Model (C2M2) for PV Systems

A very useful self-evaluation tool for the companies managing PV systems is the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The ten domains of the model are an ordered collection of cybersecurity practices. Each collection dictates activities an organization must undertake to develop and sustain its capability in that domain. The risk management domain, for example, outlines practices to develop and enhance an organization’s cybersecurity risk management capability. Each field in the framework includes a purpose statement and an overarching description of its associated practices, providing concise guidance on how to map cybersecurity actions to organizational objectives [93]. This model offers a formal structure for assessing and ranking the cybersecurity posture of an organization with the allocation of maturity indicator levels for ten distinct domains, as shown in Figure 13.

• Risk Management (RISK)

The goal of this framework is to ensure the secure operation of PV systems by managing OT and IT assets in a way that aligns with the risk to critical infrastructure and organizational objectives. Each identified risk is evaluated based on its likelihood and impact to establish priorities as seen in

Table 19. C2M2.

Risk Type	Likelihood	Impact	Risk Level
Unauthorized remote access	High	Critical	High
Malware/ransomware attack	High	High	Critical
Physical theft or vandalism	Medium	High	High
Weather-related damage	Medium	Medium	Medium
Regulatory non-compliance	Low	High	Medium

.

2.

Asset, Change, and Configuration Management (ASSET)

Asset management focuses on maintaining a secure, updated, and properly configured inventory of all hardware, software, and infrastructure components in a PV system, and change management ensures that any modifications to PV systems (hardware, software, or infrastructure) do not introduce security vulnerabilities or operational risks. Configuration management refers to risk-based access control and incident response. Risk-based access control relies on controlling access to assets based on risk to ensure that only authorized personnel can interact with critical PV systems. Incident response and continuous improvement refers to access breach response, continuous risk assessment, and user training and awareness.

3.

Identity and Access Management (ACCESS)

It establishes and maintains technologies, procedures, and plans to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities. The policy ensures that practices are proportionate with the risk to critical infrastructure, IT, and OT assets within PV systems.

4.

Threat and Vulnerability Management (THREAT)

This policy establishes and maintains activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information. It integrates data from various security domains to form a Common Operating Picture (COP) for the proactive identification and mitigation of threats and vulnerabilities in PV systems.

5.

Situational Awareness (SITUATION)

This policy establishes and maintains relationships with external and internal organizations to acquire and provide cybersecurity information related to vulnerabilities and threats. The purpose is to reduce threats and maximize operational resilience within PV systems and complement the organizational and critical infrastructure protection objectives.

6.

Information Sharing and Communications (SHARING)

This policy aims to develop and implement procedures, plans, and technologies to detect, analyze, and respond to cybersecurity incidents and to maintain operations under the threat of a cybersecurity incident, commensurate with the risk to critical infrastructure and organizational missions.

7.

Event and Incident Response, Continuity of Operations (RESPONSE)

This policy manages the organization’s OT and IT assets, including both hardware and software, in relation to the risk to critical infrastructure and organizational objectives.

8.

Supply Chain and External Dependencies Management (DEPENDENCIES)

This policy implements and maintains ongoing controls for monitoring cybersecurity threats of services and assets from third parties. These controls should be proportionate to the potential risk to critical infrastructure and aligned with the organization’s strategic objectives.

9.

Workforce Management (WORKFORCE)

This policy aims to create and implement technologies, processes, and strategic plans for advancing a culture of cybersecurity, assuring current appropriateness and competency of personnel—proportional to the level of risk to critical infrastructure according to objectives of the organization.

10.

Cybersecurity Program Management (CYBER)

This policy aims to establish and maintain a company-wide information security program that fosters effective governance, strategic planning, and executive sponsorship of the company’s security efforts, linking information security objectives to broader organizational goals and the evolving threat environment to critical infrastructure [40,93].

5.5. Practical Cybersecurity Measures for PV Systems

To ensure the practical applicability of the proposed cybersecurity framework, three critical countermeasures forming a defense-in-depth approach that can be realistically implemented in PV systems, are network segmentation, anomaly detection systems (ADSs), and encryption protocols. These measures are aligned with vulnerabilities commonly exploited in real-world cyberattacks targeting PV systems.

• Network Segmentation

The logical division of the PV system’s network into isolated zones—such as separating inverter control systems, monitoring interfaces, and corporate IT environments—serves to avoid any unauthorized lateral movement within the entire system. For instance, isolating SCADA networks from publicly accessible interfaces reduces the risk of exploitation through external access points.

B.

ADS

ADSs enable continuous monitoring of network traffic and device behavior to identify deviations from established baselines. Within PV systems, such systems can detect unusual inverter commands, abnormal telemetry patterns, or unexpected access attempts, thereby supporting the early identification and mitigation of potential intrusions.

C.

Encryption Protocols

Secure data transmission is essential for maintaining both operational integrity and confidentiality. The implementation of encryption protocols, ensures the protection of data exchanged between field devices, monitoring platforms, and utility interfaces. These protocols prevent MITM attacks and the unauthorized manipulation of control signals or system data.

6. Conclusions

Upon performing the SWOT analysis of the PV fields, 5 strengths, 10 weaknesses, 4 opportunities, 4 threats, 5 risks, 4 vulnerabilities, 4 hazards, 5 physical protection and security measures, 5 electrical safety and equipment protection measures, and 3 natural factors and disaster protection measures were identified.

The blackout risk assessment of PV fields in Romania—considered critical energy infrastructure—resulted in an initial risk level of 15 (calculated as probability 5 × severity 3), indicating a high-risk category. To mitigate this risk, a set of measures was proposed: six addressing natural risk factors, eight targeting technical risks, and nine related to human factors. Following the implementation of these measures, the reassessed risk level was reduced to nine (3 × 3), corresponding to a medium-risk category.

The risk impact and likelihood analysis point to unauthorized remote access and malware/ransomware attacks as the most serious threats to PV infrastructure. Both are given high likelihood and high impact ratings, with malware/ransomware attacks being extremely serious, assigned a critical risk rating.

Both threats highlight the importance of using strong access controls, MFA, and active cybersecurity defense to protect PV infrastructure from cyber exploitation. Physical danger, such as destruction or robbery, has a high threat level due to its high impact rate, although its likelihood is lower than in the case of cyber threats. Although weather-related improbabilities cannot be prevented, they pose a moderate threat that necessitates continuous environmental monitoring, resilience enhancement, and disaster preparedness measures to minimize potential downtime. Regulatory non-compliance in the areas of energy and cybersecurity is a low-likelihood, high-impact risk. While offenses may be few in frequency, their incidence may be harmful to the company in the form of significant fines, disruption of business, or damage to brand reputation. Ensuring adherence to industry standards, compliance frameworks, and national energy policy is essential in controlling this risk. Generally, the greatest short-term threats to PV systems are posed by cyber risks, requiring strong cybersecurity planning, real-time monitoring, and risk-reduction programs. Physical security and environmental toughness must not be neglected, though, as these support overall PV system stability and dependability.

The European Union’s PV industry association emphasized the need for stronger cybersecurity protocols for distributed energy resources, as well. The association underlines the need for systems capable of centralized coordination or management, such as aggregated rooftop solar PV systems, to undergo authorized European or national-level monitoring. The industry suggests that while existing laws, such as the updated EU NIS2 directive and the Cyber Resilience Act, provide a foundation of aggregated rules, additional measures are necessary.

Table 20. Identified risks and mitigation policies for PV systems.

Risk Category	Key Risks	Mitigation Policies
Natural Risk Factors	Storms, extreme weather, earthquakes, landslides, extreme temperatures. Damage to PV panels, inverters, transformers, and storage systems.	(a) Investments in resilient infrastructure. (b) Collaboration with emergency institutions. (c) Staff training in emergency response. (d) Disaster event analysis. (e) Fire response simulations. (f) Provision of firefighting equipment.
Technical Risks	Defective or poor-quality equipment, short circuits, lack of storage or SCADA systems, cybersecurity gaps.	(a) Use of high-quality PV components and systems. (b) Implementation of hybrid storage and SCADA systems. (c) Deployment of advanced cybersecurity and secure hardware/software. (d) Incident analysis and monitoring.
Human Risk Factors	Human error, vandalism, lack of training, poor maintenance, sabotage, non-compliance with procedures.	(a) Investment in critical infrastructure. (b) Political and institutional stability. (c) Accessing EU security funds. (d) Training in maintenance, operations, and cybersecurity. (e) Preventive maintenance. (f) Compliance with physical security standards.
Cybersecurity Risks	Unauthorized access to PV system controls or data. Malware or ransomware attacks disrupting operations. Lack of MFA or secure communication protocols. Vulnerabilities in SCADA systems and network infrastructure.	(a) Implementation of IPS and IDS. (b) Use of encryption and secure communication protocols. (c) Regular vulnerability assessments and patch management. (d) MFA and role-based access control. (e) Cybersecurity training for operational and administrative personnel.

provides a summary of identified risks along with specific mitigation policies for PV systems.

Following a comprehensive analysis of Romanian PV systems and their growing role in national energy security, this study strongly recommends their classification as critical energy infrastructure. PV installations contribute not only to the stability of the SEN but also to the broader target of safeguarding national security and ensuring long-term societal welfare. Their strategic importance warrants stringent evaluation procedures, enhanced protection measures, and regulatory oversight, particularly for systems that are centrally managed or remotely coordinated, which should fall under national or European-level monitoring frameworks.

While PV systems already form a cornerstone of the global shift toward renewable energy, their designation as critical infrastructure requires a holistic perspective. Beyond energy generation, this involves a stronger focus on resilience, grid integration, scalability, and cybersecurity. Enhancing the capabilities of inverters and control systems can improve their support for grid services, such as voltage and frequency regulation. Likewise, integrating solar PV systems with other renewable sources and storage systems would improve overall reliability and energy continuity. The development of decentralized energy solutions, such as microgrids and virtual power plants, also holds promise for increasing grid flexibility and balancing local demand.

Cybersecurity remains a critical area of concern. Protecting PV infrastructure from cyberattacks requires secure communication protocols, IDS, IPS, and a robust architecture capable of withstanding digital threats, natural disasters, and grid anomalies. Using a smart EMS with integrated AI tools to optimize energy distribution and storage can significantly boost overall system performance.

This study provides a structured risk analysis of PV systems and underscores their strategic importance within national energy infrastructure. The classification of PV systems as critical infrastructure is supported by their growing role in ensuring energy security, grid resilience, and sustainability. However, several limitations must be acknowledged. Seasonal variations in bifacial gain—driven by changes in solar angle, ground reflectivity, and snow cover—can significantly impact energy yield and system efficiency. These effects, while relevant, were not quantitatively addressed in the present analysis. Additionally, rapid technological advancements in PV materials (such as perovskites and bifacial modules), control systems, and energy management tools are expected to influence both system performance and exposure to various risks over time. These developments highlight the need for continuous adaptation of the risk assessment framework. Furthermore, economic factors—including fluctuations in energy pricing, changes in subsidy mechanisms, and the costs associated with implementing advanced cybersecurity measures—play a crucial role in shaping investment strategies and long-term viability, yet fall outside the current study’s scope.

Future research will focus on integrating dynamic models that capture seasonal, technological, and economic variability, enabling more adaptive, realistic, and forward-looking risk assessments for PV systems in the context of critical infrastructure planning.